DynA-Crypt

DynA-Crypt targets Windows OS and its method of distribution is currently unknown. This variant was developed using the Dynamite Malware Creation Kit and contains a number of individual executables and PowerShell scripts used to steal, delete, and encrypt data. Once a system is infected, DynA-Crypt first attempts to steal any sensitive data the victim may have on the screen or within certain programs. It takes screen captures, records system sounds, logs keystrokes, and steals data from Chrome, Firefox, Thunderbird, Skype, Steam, Minecraft, and TeamSpeak. After compiling this data, DynA-Crypt copies it to a folder named %LocalAppData%\dyna\loot\ and create a ZIP file named loot.zip to send to the hacker behind the campaign. After exfiltrating the data, DynA-Crypt then deletes the files and folders containing that data from the victim’s system. It also deletes everything on the desktop. It then proceeds to encrypt the remaining targeted files using a PowerShell script and an AES encryption script, appending .crypt to the end of the file names. DynA-Crypt deletes Shadow Volume Copies to prevent file restoration by the victim. The ransom payment amount is $50 worth of Bitcoin.

Bleeping Computer has more information about DynA-Crypt here and provides a free decryption tool to any victim who requests one via a comment at the bottom of the page.

One example of the DynA-Crypt variant. Image Source: Bleeping Computer

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.